convert rst to md

2021-07-14 09:08:36 +02:00
parent c5946ce814
commit 138c08e60e
2 changed files with 123 additions and 139 deletions
@@ -0,0 +1,123 @@
+---
+title: Accounts
+---
+
+Linux accounts are generally stored and managed in Active Directory.
+
+```{note} 
+Current user (uid) and group (gid) ranges can be found here:  [UID and GID Management](https://git.psi.ch/linux-infra/documentation/blob/master/pdf/UID_and_GID.pdf) 
+```
+
+# Account Types
+
+There are several types of accounts, which are usually indicated by a
+prefix or suffix:
+
+-   Normal accounts. No prefix or suffix. Older accounts are just last
+    names, newer accounts are LASTNAME_X, where X is the first letter of
+    the given name.
+-   Global accounts. These have a `gac-` prefix. There are only a
+    handful of these on Linux so far, due to concerns about the lack of
+    login restrictions.
+-   Administrator accounts. Marked with an `-adm` suffix.
+-   External users. These start with an `ext-` prefix and are provided
+    to external users, ie. those who are not PSI employees.
+-   Service accounts. These come with an `svcusr-` prefix and are used
+    for running services.
+
+# UID Allocation
+
+  ---------------- -------------
+  Old accounts     1000-6000
+  GFA accounts     10000-30000
+  External users   30000-35000
+  New accounts     35000+
+  ---------------- -------------
+
+# LDAP Attribute Mapping
+
+  Attribute   LDAP Attribute
+  ----------- ------------------------
+  username    `msSFU30Name`
+  UID         `msSFU30UidNumber`
+  GID         `msSFU30GidNumber`
+  home        `msSFU30HomeDirectory`
+  shell       `msSFU30LoginShell`
+
+# Primary Groups
+
+At PSI the user-private group scheme (UPG), the default on Red Hat
+distributions, is **not** used. Instead, every user\'s primary group is
+usually one specific to the group/department the user is working for,
+eg. `unx-ait`.
+
+Users for whom there is no natural choice of primary group are assigned
+`unx-nogroup`.
+
+# Low GIDs
+
+A number of groups have very low GIDs (\<500), in particular:
+
+    unx-fkt:*:101:
+    unx-lke:*:110:
+    unx-abe:*:120:stingelin
+    unx-aea:*:130:
+    unx-lmu:*:140:
+    unx-lem:*:141:
+    unx-muesr:*:150:
+    unx-asm:*:210:
+    unx-lrp:*:220:
+    unx-zrp:*:221:
+    unx-ash:*:230:
+    unx-ppt:*:280:
+    unx-pmr:*:290:
+    unx-cmt:*:301:
+    unx-lfk:*:310:
+    unx-lch:*:320:
+    unx-lns:*:330:
+    unx-lap:*:340:
+    unx-lmn:*:350:
+    unx-asq:*:360:
+    unx-crpp:*:370:
+    unx-psq:*:380:
+    unx-psz:*:390:
+    unx-gabe:*:402:
+    unx-lrs:*:410:
+    unx-lth:*:420:
+    unx-lwv:*:430:
+    unx-les:*:440:
+    unx-dtp:*:451:
+    unx-lsu:*:490:
+
+# Shells
+
+We support bash, and we also try to keep tcsh working.
+
+Currently bash, tcsh, and sh are used. The form for ordering accounts
+also offers `/bin/ksh` and `/bin/zsh`. The most popular by far is bash.
+
+# Special Accounts
+
+## `linux_ldap`: query LDAP
+
+The [linux_ldap]{.title-ref} account has read-only permissions on a
+limited subset of the LDAP attributes. It is used by
+[nslcd]{.title-ref}, for example, to query LDAP for users\' uid, gid,
+etc.
+
+The password should not be shared unnecessarily, but it does not need to
+be specifically protected either. In fact, in earlier releases of
+Scientific Linux it was necessary to have [/etc/nslcd.conf]{.title-ref},
+which contains the password, world-readable.
+
+This account **must not** be given additional access or privileges.
+
+## `linuxadjoin.psi.ch@D.PSI.CH`
+
+This account is a pure AD account (ie it doesn\'t have Unix attributes
+like uid), which is used to manage computer objects in AD automatically.
+In particular, it is used to precreate computer objects to allow
+password-less AD joins.
+
+The account is only used on the Puppet server and has no (known)
+password. Instead a keytab is used to get a valid Kerberos ticket.
@@ -1,139 +0,0 @@
-==========
- Accounts
-==========
-
-Linux accounts are generally stored and managed in Active Directory.
-
-
-```{note}
-Current user (uid) and group (gid) ranges can be found here: 
-[UID and GID Management](https://git.psi.ch/linux-infra/documentation/blob/master/pdf/UID_and_GID.pdf)
-```
-
-
-
-Account Types
-------------
-
-There are several types of accounts, which are usually indicated by a prefix or
-suffix:
-
- Normal accounts. No prefix or suffix. Older accounts are just last names,
-  newer accounts are LASTNAME_X, where X is the first letter of the given name.
- Global accounts. These have a ``gac-`` prefix. There are only a handful of
-  these on Linux so far, due to concerns about the lack of login restrictions.
- Administrator accounts. Marked with an ``-adm`` suffix.
- External users. These start with an ``ext-`` prefix and are provided to
-  external users, ie. those who are not PSI employees.
- Service accounts. These come with an ``svcusr-`` prefix and are used for
-  running services.
-
-
-UID Allocation
--------------
-
-==============  ===============
-Old accounts    1000-6000
-GFA accounts    10000-30000
-External users  30000-35000
-New accounts    35000+
-==============  ===============
-
-
-LDAP Attribute Mapping
----------------------
-
-=========  ========================
-Attribute  LDAP Attribute
---------  ------------------------
-username   ``msSFU30Name``
-UID        ``msSFU30UidNumber``
-GID        ``msSFU30GidNumber``
-home       ``msSFU30HomeDirectory``
-shell      ``msSFU30LoginShell``
-=========  ========================
-
-
-Primary Groups
--------------
-
-At PSI the user-private group scheme (UPG), the default on Red Hat
-distributions, is **not** used. Instead, every user's primary group is usually
-one specific to the group/department the user is working for, eg. ``unx-ait``.
-
-Users for whom there is no natural choice of primary group are assigned
-``unx-nogroup``.
-
-
-Low GIDs
--------
-
-A number of groups have very low GIDs (<500), in particular::
-
-    unx-fkt:*:101:
-    unx-lke:*:110:
-    unx-abe:*:120:stingelin
-    unx-aea:*:130:
-    unx-lmu:*:140:
-    unx-lem:*:141:
-    unx-muesr:*:150:
-    unx-asm:*:210:
-    unx-lrp:*:220:
-    unx-zrp:*:221:
-    unx-ash:*:230:
-    unx-ppt:*:280:
-    unx-pmr:*:290:
-    unx-cmt:*:301:
-    unx-lfk:*:310:
-    unx-lch:*:320:
-    unx-lns:*:330:
-    unx-lap:*:340:
-    unx-lmn:*:350:
-    unx-asq:*:360:
-    unx-crpp:*:370:
-    unx-psq:*:380:
-    unx-psz:*:390:
-    unx-gabe:*:402:
-    unx-lrs:*:410:
-    unx-lth:*:420:
-    unx-lwv:*:430:
-    unx-les:*:440:
-    unx-dtp:*:451:
-    unx-lsu:*:490:
-
-
-Shells
------
-
-We support bash, and we also try to keep tcsh working.
-
-Currently bash, tcsh, and sh are used. The form for ordering accounts also
-offers ``/bin/ksh`` and ``/bin/zsh``. The most popular by far is bash.
-
-
-Special Accounts
----------------
-
-``linux_ldap``: query LDAP
-~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-The `linux_ldap` account has read-only permissions on a limited subset of the
-LDAP attributes. It is used by `nslcd`, for example, to query LDAP for users'
-uid, gid, etc.
-
-The password should not be shared unnecessarily, but it does not need
-to be specifically protected either.  In fact, in earlier releases of
-Scientific Linux it was necessary to have `/etc/nslcd.conf`, which
-contains the password, world-readable.
-
-This account **must not** be given additional access or privileges.
-
-``linuxadjoin.psi.ch@D.PSI.CH``
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-This account is a pure AD account (ie it doesn't have Unix attributes like uid),
-which is used to manage computer objects in AD automatically. In particular, it
-is used to precreate computer objects to allow password-less AD joins.
-
-The account is only used on the Puppet server and has no (known) password.
-Instead a keytab is used to get a valid Kerberos ticket.